pgg: Caching passphrase
3.3 Caching passphrase
======================
When using GnuPG (gpg) as the PGP scheme, we recommend using a program
called ‘gpg-agent’ for entering and caching passphrases(1).
-- Variable: pgg-gpg-use-agent
If non-‘nil’, attempt to use ‘gpg-agent’ whenever possible. The
default is ‘t’. If ‘gpg-agent’ is not running, or GnuPG is not the
current PGP scheme, PGG’s own passphrase-caching mechanism is used
(see below).
To use ‘gpg-agent’ with PGG, you must first ensure that ‘gpg-agent’
is running. For example, if you are running in the X Window System, you
can do this by putting the following line in your ‘.xsession’ file:
eval "$(gpg-agent --daemon)"
For more details on invoking ‘gpg-agent’, (gnupg)Invoking
GPG-AGENT.
Whenever you perform a PGG operation that requires a GnuPG
passphrase, GnuPG will contact ‘gpg-agent’, which prompts you for the
passphrase. Furthermore, ‘gpg-agent’ “caches” the result, so that
subsequent uses will not require you to enter the passphrase again.
(This cache usually expires after a certain time has passed; you can
change this using the ‘--default-cache-ttl’ option when invoking
‘gpg-agent’.)
If you are running in a X Window System environment, ‘gpg-agent’
prompts for a passphrase by opening a graphical window. However, if you
are running Emacs on a text terminal, ‘gpg-agent’ has trouble receiving
input from the terminal, since it is being sent to Emacs. One
workaround for this problem is to run ‘gpg-agent’ on a different
terminal from Emacs, with the ‘--keep-tty’ option; this tells
‘gpg-agent’ use its own terminal to prompt for passphrases.
When ‘gpg-agent’ is not being used, PGG prompts for a passphrase
through Emacs. It also has its own passphrase caching mechanism, which
is controlled by the variable ‘pgg-cache-passphrase’ (see below).
There is a security risk in handling passphrases through PGG rather
than ‘gpg-agent’. When you enter your passphrase into an Emacs prompt,
it is temporarily stored as a cleartext string in the memory of the
Emacs executable. If the executable memory is swapped to disk, the root
user can, in theory, extract the passphrase from the swapfile.
Furthermore, the swapfile containing the cleartext passphrase might
remain on the disk after the system is discarded or stolen. ‘gpg-agent’
avoids this problem by using certain tricks, such as memory locking,
which have not been implemented in Emacs.
-- Variable: pgg-cache-passphrase
If non-‘nil’, store passphrases. The default value of this
variable is ‘t’. If you are worried about security issues,
however, you could stop the caching of passphrases by setting this
variable to ‘nil’.
-- Variable: pgg-passphrase-cache-expiry
Elapsed time for expiration in seconds.
If your passphrase contains non-ASCII characters, you might need to
specify the coding system to be used to encode your passphrases, since
GnuPG treats them as a byte sequence, not as a character sequence.
-- Variable: pgg-passphrase-coding-system
Coding system used to encode passphrase.
---------- Footnotes ----------
(1) Actually, ‘gpg-agent’ does not cache passphrases but private
keys. On the other hand, from a user’s point of view, this technical
difference isn’t visible.